The primary reason we are seeing new CNAs is because Dan is out advertising that the CVE program is looking for new CNAs. I am not calling Dan out by saying this. He is doing what he has been told to do. I believe we should be spending MITRE resources, which
have limits, to work with the board to improve the structure and overall governance of the CVE program.

I am not suggesting we plateau the aquisition of CNAs, but instead that we not actively seek them out. If new CNAs come to the program on their own, I am good with bringing them in. We can then use the time saved to focus resources on making federation a reality
and working out how the federated model can be better governed. In my view, working on these things is critical to the long term success of CVE. We are not making progress as quickly as I had hoped. This is a good time to consider what we can do differently
to reprioritize.

Do you agree that working out federation and governance for the program is a priority? If not, what do you see as the biggest priorities?

: In this case, BAH was interested and was willing to participate in the
: program as a CNA for their own products. They are also willing to fill
: the gaps where other CNAs do not provide coverage. Our understanding
: from the discussion was that this CNA falls into the category of a large
: and established organization that should be part of the CVE program,
: especially if they are reaching out to us to participate. It was the
: smaller research organizations that were the issue, right?

In the interest of transparency, and because I don't know if this represents a conflict or not, or is tangentially related... but could NIST/NVD clarify BAH's current role in the NVD process?

For those not aware, for several years NIST would out-source the NVD meta-data generation (e.g. CPE, CVSS scoring) to junior BAH consultants. I don't know how long that went on, if it is still does, or if they changed vendors over the year.

I had asked both MITRE and NVD many years back about their involvement in the context of "when they find an error in a CVE, who do they report to"
and I don't recall getting a real answer other than what in my memory was bureaucratic speak for "don't worry, it's handled".